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CN I Abstract: It is well known that Shor's quantum algorithm for integer factorization 

I can break down the RSA public-key cryptosystem, which is widely used in many cryp- 

I ' tographic applications. Thus, public-key cryptosystems in the quantum computational 

■ setting are longed for cryptology. In order to define the security notions of public-key 

• cryptosystems, we have to model the power of the sender, receiver, adversary and chan- 

I , nel. While we may consider a setting where quantum computers are available only 

, to adversaries, we generally discuss what are the right security notions for (quantum) 

I public-key cryptosystems in the quantum computational setting. Moreover, we consider 

^ ' the security of quantum public-key cryptosystems known so far. 
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4L ■ 1 Introduction 

^ : 

^ ' Shor's quantum algorithm [23] for the integer factorization problem can break down the RSA 

O^' cryptosystem. This fact may be seen as a negative aspect of the power of the quantum mechanism. 

^ ■ On the other hand, a quantum key distribution protocol due to Bennett and Brassard [4] is one of 

^ . the most successful cryptographic systems. It is natural to consider that we can defend even public- 

key cryptosystems by using quantum computers against the quantum adversary. Since lattice-based 
cryptosystems such as the Ajtai-Dwork public-key cryptosystem [2] are based on the computational 
hardness of the shortest vector problem (SVP) that is not known to be efficiently solvable by using 
quantum computers, they have attracted researchers' attention (pT } [20 l [2T1 [22] )D 

Basically, the lattice-based cryptosystems are classical ones that are likely to withstand quan- 
tum adversaries. On the other hands, there are public-key cryptosystems in which the power of 
quantum computation is ingeniously applied. The first quantum public-key cryptosystem was pro- 
posed by Okamoto, Tanaka and Uchiyama [19]. The Okamoto-Tanaka-Uchiyama system (OTUOO 
system, for short) is one of knapsack-based cryptosystems, which are based on the hardness of 
some subproblems of the NP-complete knapsack problem (or the subset sum problem). Generally 
speaking, the security of cryptosystems is related to the average-case complexity of their underlying 
problems and some of knapsack-based cryptosystems have been actually broken. Early knapsack- 
based cryptosystems utilized hidden linear relations between the public-key and the secret-key and 
the attack algorithms could efficiently find the hidden linear relations. Chor and Rivest [5] incor- 
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porated "easily solvable" discrete logarithmic relations into the key generation in order to prevent 
the above attack algorithms and proposed a knapsack-based cryptosystem. OTUOO system can be 
seen as an extension of the Chor-Rivest system since "arbitrary" discrete logarithmic relations can 
be introduced in the key generation of OTUOO system by using Shor's algorithm. 

The OTUOO system requires that receivers have quantum computers to generate keys and 
the other information is totally classical. On the other hand, Kawachi, Koshiba, Nishimura and 
Yamakami |13) proposed a quantum public-key cryptosystem where the parties concerned including 
the adversary and the channel are quantum. The Kawachi-Koshiba-Nishimura- Yamakami system 
(KKNY05 system, for short) is the first provably-secure quantum public-key cryptosystem (of the 
indistinguishability property) . In [13j , it is shown that if there exists an efficient quantum algorithm 
to break the KKNY05 system then the graph automorphism can be efficiently solvable even in the 
worst-case. The KKNY05 system can be seen as an quantum extension of Goldwasser-Micali's 
probabilistic encryption system [12]. In [12], they introduced two security notions for public-key 
cryptosystems: the indistinguishability (a.k.a. polynomial security) and the semantic security. 
Their probabilistic encryption was shown to have the indistinguishability in [12] and later shown 
to be semantically secure as a consequence of the equivalence between the indistinguishability and 
the semantic security [17] . 

In this paper, we discuss the appropriate definitions of security notions for quantum public- key 
cryptosystems and derive relations among them. In the case of classical public-key cryptosys- 
tems, security notions are defined in terms of the adversary model and the goal of the adversary 
[3]. As adversary models, there are ciphertext only attack, chosen plaintext attack and (non- 
adaptive/adaptive) chosen ciphertext attack. As goals of the adversary, we usually consider the 
one-wayness (of encryption function), the indistinguishability (of encrypted messages), semantic 
security |12j and non-malleability [8]. For example, the ElGamal public-key cryptosystem [9] is 
one-way (against chosen plaintext attack) on the assumption that the computational Diffie-Hellman 
problem |7j is hard, and semantically secure (against chosen plaintext attack) on the assumption 
that the decisional Diffie-Hellman problem is hard. Moreover, the Cramer-Shoup public-key cryp- 
tosystem |6], an extension of the ElGamal cryptosystem, is shown to be non-malleable against 
adaptive chosen ciphertext attack on the assumption that the decisional Diffie-Hellman problem is 
hard and there exists a family of universal one-way hash functions. 

As mentioned, we discuss the validity of the analogous definitions of security notions for quan- 
tum public- key cryptosystems. The discussion involves the compatibility with the non-cloning 
theorem and the difference between quantum and classical leakage of information from ciphertext. 
(For example, it is known that the imperfect randomness alters security notions of public-key cryp- 
tography [151116] .) In this paper, we consider how to define security notions for quantum public-key 
cryptography and especially revisited the definition of the event such that no information is leaked 
from ciphertext. Specifically speaking, we give an analogous definition of the indistinguishability 
for quantum public-key cryptosystems and two definitions of the semantic security both from view- 
points of the classical and quantum leakage and show the equivalence (against chosen plaintext 
attack) among them. We also give a quantum definition of non-malleability and show the equiv- 
alence between the indistinguishability and the non-malleability against chosen ciphertext attack. 
As a corollary of the equivalence, we show that the KKNY05 system is semantically secure. 
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2 Security Notions of Classical Public-Key Cryptography 



Before considering quantum public-key cryptosystems, we review classical public-key cryptosystems 
and their security notions. 

Definition 2.1 A public-key crypto system is described by a quadruple {G, M, E, D). Each com- 
ponent is defined as follows. 

1. A key generation algorithm G is a probabilistic polynomial-time algorithm that on input 1" 
(the unary representation of n) outputs a pair (e, d) of strings, where e is called encryption 
key and d decryption key. 

2. M = {Mn}n>i is a family of plaintext spaces to which every plaintext message belongs. 
We also assume that the description of M„ can be output by a polynomial-time (uniform) 
algorithm. 

3. For every n and for every (e, d) G supp(G(l")) and a G M„, a probabilistic polynomial-time 
encryption algorithm E and a deterministic polynomial-time decryption algorithm D satisfy 
that VT:[D{d,E{e,a)) = a] = 1. 

E 

The integer n is sometimes called security parameter. The string E{e, a) is encryption of a plaintext 
a G Mn with respect to the encryption key e, and D{d, /?) is decryption of a ciphertext /? with 
respect to the decryption key d. Though encryption and decryption keys are fed to the encryption 
algorithm E and the decryption algorithm D respectively, we sometime use the notation -E'e(-) and 

Before reviewing security notions for public-key cryptosystems, we consider how ingredients to 
define the security notions should be. 

Attack Models 

Attack models on public-key cryptosystems in general consist of two phases. In the first phase, an 
adversary is given the public-key e where (e, d) is distributed according to G(l"). In the second 
phase, the adversary is given a challenge ciphertext. As attack models, ciphertext only attack 
(COA), chosen plaintext attack (CPA) and chosen ciphertext attack (CCA) are well known. The 
distinct attribute among them is what oracle the adversary can invoke. The adversary in the COA 
model cannot invoke any oracles. The adversary in the CPA model can access to the oracle that can 
reply to the query of plaintext with the corresponding ciphertext. In the classical setting, the COA 
and CPA models are equivalent because the adversary can encrypt any chosen message by himself 
using the public-key. Since the relation between the COA and CPA models in the quantum setting 
is subtle, we postpone this issue to the next section. The adversary in the CCA model can access 
to the oracle that can reply to the query of ciphertext with the corresponding plaintext. If the 
adversary can invoke the CCA oracle only in the first phase, then the model is called non-adaptive 
CCA or CCAl. If the adversary can invoke the CCA oracle in the both phases, the model is called 
adaptive CCA or CCA2. Note that there is a limitation on the oracle invocation in the second 
phase, where the adversary is not allowed to ask the challenge ciphertext. Otherwise, it does not 
make sense. 
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Computational Models of Adversaries 

In general, the adversary is modeled by a probabilistic polynomial-time Turing machine as legiti- 
mate users are. We sometimes adopt polynomial-size circuit family as a bit stronger computational 
model of the adversary. In this paper, we define the security notions in terms of the non-uniform 
computational model. Though technical difficulties between uniform models and non-uniform mod- 
els may be quite different, we adopt the non-uniform model to simply the discussion. That enables 
us to grasp the security notions essentially. More details on the uniform and the non-uniform 
models in cryptography can be found in [10]. 

Goals of Adversaries 

Security notions are defined by determining when we say that the adversary succeeds in the at- 
tack. As goals of the adversary, the one-wayness (of the encryption), the indistinguishability (of 
ciphertext), semantic security and non-malleability have been well studied. 

Before giving the definitions, we prepare some terminology. A function |U : N ^ M is negligible 
with respect to k if ^i{k) < l/p{k) for every positive polynomial p{-) and for every sufficiently large 
k. A function : {0, 1}* — > {0, 1}* is polynomially hounded if there exists a polynomial q{-) such 
that [i^(x)[ < q[k) for every k and x € {0, l}'^. 

Definition 2.2 A (classical) public-key cryptosystem {G,M,E,D) is one-way if for every family 
{Cn}n>i of polynomial-size circuits, 

1 

is negligible with respect to n, where X„ is the uniform distribution on M„. 



Pr 



Remarlc. The above definition is slightly different from the standard one. This is because the size 
of Mn does not always depend on n. Typically, we may consider the case M„ = {0, 1}. Moreover, 
Cn can invoke oracles corresponding to the attack model. Otherwise stated, we do not explicitly 
describe the oracle. 

Definition 2.3 A public-key cryptosystem (G,M,E,D) has the indistinguishability if for every 
family {C„}„>i of polynomial-size circuits, every positive polynomial p, sufficiently large n, every 

x,y e Mn, 

1 

p{n) 

Definition 2.4 A public-key cryptosystem {G,M,E,D) is semantically secure if there exists a 
(uniform) probabilistic polynomial-time computable transformation T such that for every family 
{Cn}n>i of polynomial-size circuits, every probability ensemble {Xn}n>i each on M„, every pair 
of polynomially bounded functions /, h : {0, 1}* {0, 1}*, 



Pv [Gn{e,E,{x)) = 1 I (e,d) ^ G(l«)] - Pr [Gn{e, E,{y)) = 1 | (e,d) ^ G(l")] 



< 



Pr 

G.E.Xji - 



Cn{e,E,{a),h{a)) = f{a)\{e,d) ^ G{l^y,a ^ X, 
C;(e, hia)) = fia) |(e, d) ^ G(l"); a ^ X 

is negligible with respect to n, where G^ = T{Gn)- 



Pr 

T,G,X„ L 
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Remark. Functions /, h in the above are not necessarily recursive. 



Definition 2.5 A public-key cryptosystem (G, M, E, D) is non-malleable if there exists a (uniform) 
probabilistic polynomial-time computable transformation T such that for every family {C„}„>i 
of polynomial-size circuits, every probability ensemble {Xn}n>i each on M„, every polynomially 
bounded function h : {0, 1}* {0, 1}*, every relation R computable by a family of polynomial-size 
circuits, 



Pr 

G .X.n 



Cn{e,Eeia),h{Xn)) =Ee{a') A (a, a') ^R\{e,d)^ G(l"),a 



Pr 

T,G,Xn 



C;(e, h{a)) = Ee{a) A (a, a') G i? | (e, d) ^ a ^ X„ 

is negligible with respect to n, where = T{Cn)- 



For these security notions, the following theorems hold. 



Theorem 2.1 ( |12|, ITT] ) ^ public-key cryptosystem {G,M,E,D) is semantically secure against 
the chosen plaintext attack if and only if (G, M, E, D) has the indistinguishability against the chosen 
plaintext attack. 

Theorem 2.2 (p]) A public-key cryptosystem {G,M,E,D) is non-malleable against the adaptive 
chosen ciphertext attack if and only if (G, M, E, D) has the indistinguishability against the chosen 
plaintext attack. 

Other relations can be found in [3j though definitions are slightly different from ours. 



3 Security Notions for Quantum Public-Key Cryptography 

We begin with a definition of quantum public-key cryptosystem, which is a generalization of classical 
public-key cryptosystem. In this paper, we focus on cryptosystems in which all plaintext messages 
are classical. 

Definition 3.1 A quantum public-key cryptosystem is a quadruple (G, M, E, D), where each com- 
ponent is defined as follows. 

1. A key generator G is a (probabilistic) efficient quantum algorithm, on input 1", outputs a 
pair (e,d). We call e encryption key and d decryption key. 

2. M = {Mn} denotes a family of plaintext spaces, where each plaintext is classical. We also 
assume that the description of Mn can be output by a polynomial-time quantum algorithm. 

3. For each n, (e, d) G supp(G(l"')), and a G M„, the probabilistic encryption quantum algorithm 

E and the deterministic decryption quantum algorithm D satisfy that Pr[Drf(i?e(a)) = a] = 1. 

E 

Remark. Note that (e, d) may be a pure quantum state or a mixed quantum state. Since mixed 
states are probabilistic mixture of pure states, we assume that (e, d) is a pure state without loss of 
generality. That is, G probabilistically outputs a pure state (e,d). 
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Practical Requirements 

In public-key cryptography, for each key pair {e,d), one receiver and a general run of senders are 
involved. Thus, if e and d are entangled then the receiver must keep the decryption key d of the 
number of the senders. Though there is an application where the above situation is useful, we 
consider that (e, d) should not be entangled for the standard usage of public-key cryptography. 
Similarly, we consider the decryption key d should be a classical state. Thus, a key generation 
algorithm G outputs d firstly (and probabilistically) and then outputs e according to d. This 
means that there is a sub-procedure G' that, given d, outputs e. The existence of such G' enables 
a situation where there is a decryption key and a bunch of the corresponding encryption keys. In 
this paper, we assume that quantum public-key cryptosystems satisfy the above requirements. 

As well as the classical case, we consider how ingredients to define the security notions should be. 



Attack Models 

As in the classical case, ciphertext only attack, chosen plaintext attack and chosen ciphertext 
attack are considerable. In each attack model, public key can be fed to the adversary. Quantum 
public-keys seem to differ from classical ones because of the non-cloning theorem. The nature of 
public-key cryptosystems is that anybody can freely access public keys and may imply the existence 
of some machinery that generates many public keys and is available even for the adversary. Thus, 
we suppose that G(l") outputs (e, d) and e®P°^y("^ is fed to the adversary. In this setting, ciphertext 
only attack is equivalent to chosen plaintext attack. 

In the chosen ciphertext attack model, we give a way to make queries in the quantum setting. 
The adversary queries a quantum superposition of ciphertext to the oracle. As in the classical case, 
the amplitude of the target ciphertext in the superposition must be zero. 



Computational Models of Adversaries 

Though we can take polynomial-size circuit family as a computational model of the adversary, we 
adapt a different one. We rather take polynomial-size quantum circuit family with (non-uniform) 
quantum advice as in [UITH]. This is because in the above computational model the distinguisha- 
bility between two mixed states p and a coincides with the distinguishability between p®P°'y(") and 
^iX)poiy{?i) ^-j^ ^YiQ computational sense). 



Goals of Adversaries 



Definition 3.2 A quantum public-key cryptosystem {G,M,E,D) is said to be one-way if for 
every family {C„, |a„)}„>i of polynomial-size quantum circuits with quantum advice, the following 
probability is negligible: 



Pr 

G.E.Xn - 



C„(e®P°iy("),ii;e(a), |a„)) = a \{e,d) ^ G(l");a ^ X„ 
where Xn is the uniform distribution over Mr,. 



1 
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Here, we consider the behavior of the encryption algorithm E. You may consider that it is 
desirable for us that the public-key state remains as it is after running E and is re-usable. (The 
above is not a requirement but an option.) In this case, we can write the execution of E^^a) as 

E\e)\a)\0) = |e)|/3)|^,,e), 

where \^pe,a) is a kind of garbage. In this case, the encryption E must essentially produce a non-zero 
garbage state, otherwise E^ is obviously an inversion circuit. Also note that the ciphertext is a 
mixed state for the receiver since the sender in public-key cryptography cannot be an adversary 
and \tpe,a) is just local information. On the other hand, if the encryption E collapses the public-key 
state e then the ciphertext may be a pure state. 

Prom now on, we define several security notions. 

Definition 3.3 A quantum public-key cryptosystem (G, M, E, D) has indistinguishability if for 
every family {C„, |a„)}„>i of polynomial-size quantum circuits with quantum advice, every poly- 
nomial p{-), every sufficiently large n, every distinct pair oi x,y G M„, the following quantity is less 
than l/p(n): 

Pr [C„(e®P°iyW,£;e(x), |a„)) = 1 \{e,d) ^ G(l-)] 

- Pr [C„(e®P°Mn)^£:^(y)^ 1^^)) = 1 |(e,d) ^ G(l")] 

The above definition is just a quantum counterpart of the classical definition. On the other 
hand, some care must be taken when we give a quantum counterpart of "semantic security" . We 
need to confront how to give a semantics for the strong secrecy in the quantum computational 
model. While, in our setting, information we would like to transmit is classical, we have to assume 
that leakage information from the ciphertext should be either classical or quantum. Anyway, we 
give two possible definitions for semantic security. 

Definition 3.4 A quantum public-key cryptosystem {G,M,E,D) is said to be semantically c- 
secure if there exists a (probabilistic) polynomial-time computable uniform quantum transformation 
T such that for every family {C„, |a„)}„>i of polynomial-size quantum circuits with quantum 
advice, every probability ensemble {Xn}n>i each on M„, every polynomially bounded function 
/ : {0, 1}* — > {0, 1}*, every polynomially bounded quantum function h : {0, 1}* — > H*, the following 
quantity is negligible with respect to n: 



Pr 

G,E,X„ . 



Cn{e'^P'''^(^\Eeia),hia), |a„)) = /(a) |(e,d) ^ G(l");a ^ X„ 



- Pr 



C;(e®P°Mn)^^(„)^ lO) = /(a) |(e,d) ^ G(l");a ^ X, 
where (C;, K)) = T(C„, |a„)). 



Definition 3.5 A quantum public-key cryptosystem {G,M,E,D) is said to be semantically q- 
secure if there exists a (probabilistic) polynomial-time computable uniform quantum transformation 
T such that for every family {Cn, \0'n)}n>i of polynomial-size quantum circuits with quantum 
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advice, every distribution family {Xn}n>i each on M„, every pair of polynomially bounded quantum 
functions f,h : {0, 1}* H*, the following quantity is negligible: 

^ |(CJe®P°'>-(«),i?e(a),M«), |an))l/(«))f • Pr[G(l") = (e,d) AX„ = a] 

(e,d)Gsupp(G(l")) 
aeMn 

- E \{CUe^''°''^''\h{a),\a'J)\f{a))\'-Pr:[G{r) = (e,d) AX„ = aAT{Cn, K)) = {C^, K))] 

(e,d)esupp(G(l")) 
aeMn 

(C;,|a;»6supp(T(C„,|a„))) 

where {C'^,\a'J) = T{Cn,K)). 

We have the following equivalence among the three security notions above. 

Theorem 3.1 Against the chosen plaintext attack, the indistinguishability, the semantic c-security, 
and the semantic q-security for quantum public-key cryptosystems are all equivalent. 

Proof. First, we show that the semantic q-security implies the indistinguishability. Suppose that 
a quantum public-key cryptosystem (G, M, E, D) does not have the indistinguishability; namely, 
there exist a family {-Dn, \bn)}n>i of polynomial-size quantum circuits with quantum advice and 
some polynomial p{ ) such that, for infinitely often n, some pair and 5„ both in satisfies the 
following: 



Pr [I)„(e®P°'y(-),Ee(x„), \bn)) = 1] - Pr [Z^n(e®P°^^("\^e(5n), \bn)) = 1] 

(j.E (j^E 



1 

> 



p{n) 

Without loss of generality, for infinitely often n, some pair Xn and Xn both in M„ satisfies that 

p[Dn{e®^°'y^^\E,{xn)Abn)) = 1] - Pr [Z^„(e®P°iy("Ue(5n),|60) = 1] > 

G,E G,E p[n) 

Here we let X„ be the probability distribution satisfying that Pr[X„ = Xn] = Pr[X„ = Xn] = 1/2 
and / be a function such that f{xn) = 1 and f{xn) = 0. Now, we construct a family {C„}„>i 
of polynomial-size circuits as follows. For a given input (e®P°'y('^),^e(a;),|6„)), C„ computes 
Dn{e®^°^^^^\ E(.{x), \bn)) and outputs the return value from Dn- Then we estimate the value of 
|(C„(e®P°iy("),£^e(a;), |6n))|/(a;))|2 when x is chosen according to 

E |(C„(e®P°'y(-),^e(x),|6„))|/(x))|'-Pr[G(n = (e,d)AX„ = x] 

suppCGjl")) 
{Xji fXri} 

Pr [C„(e®P°'y("), Se(^), \hn)) = f{x)\ 

(e,d)^G(l") 

= \ ■ Pr[C„(e®P°iy("), Ee(:c„), |6„)) = + \ ■ Pr[e®P°'y(-), £:e(xn), K)) = f{xn)] 

= ^(Pr[I)„(e®P°lyW,£;e(x„), = 1] + 1 - Pr[Z)„(e®P°Mn)^£;^(5^)^ |^,^)) = i]j 

1 1 

> + 



2 2p(n) ■ 
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On the other hand, since f{Xn) distributes over {0, 1} uniformly, for any family {C^, |a„)}„>i of 
polynomial-size quantum circuits with quantum advice, the following holds: 

^ |(C;(e®PoiyW, \an))\f{x)) ' ■ Pr[G(l") = (e,d) A X„ = x] < ^ 



supp(G(l")) 



This implies that (G, M, E, D) is not semantically q-secure. 

Secondly, we show that the indistinguishability implies the semantic q-security. Suppose that 
there exist a family {C^, |an)}n>i of polynomial-size quantum circuits with quantum advice, a 
polynomial p(-), and polynomially-bounded quantum functions h, f such that, for infinitely often 
n, the following holds: 

|(C,(e®P°'^(«Ue(a),M«),l«n))|/(a))f •Pr[G(l-) = (e,d) AX, = a] 

supp(G(l"));M„ 

- E |a;))l/(a)>f ' Pr[G(r) = (e,d) a X„ = a] > 

supp(G(l"));M„ 

In the above, is a circuit that selects a message a! G M„, feeds (e^P^i^W, Ee(a')> l«n)) 
to Cm and output the return value of C„. Also we let |a^) = |a„). Because of the descriptional 
uniformity of M = {M„}„>i, (the description of) C'^ can be produced from C„ by a uniform 
polynomial-time quantum transformation. Then, 

E |(C„(e®P°iyW,i?e(a),/i(a),|a„))|/(a))|' •Pr[G(r) = (e,d) AX„ = a] 

supp(G(l"));M„ 

J] |(C„(e®P°Mn)^£;^(^/)^^(«)^ |an))|/(«))f • Pr[G(r) = (e,d) AX„ = a] > 
supp(G(l"));M„ 

We take a message out of M„ which maximizes the above difference and let Xn be the message. 

By using we construct a circuit Dn as follows. For a given input {e'^^^^^^^\ Ee{a), |a„)), 
computes C„(e®P°'y("), ^e(a), /7.(.t„), |a„)) and measures the state obtained by Cn with respect to 
no = \f{xn)){f{xn)\ and Hi = / — outputs 1 if the state is projected to Hq and 

otherwise. (Note that we may use a polynomial-time computable approximation of the projection 
instead of the exact one.) Then we have 

Pr[L>„(e®P°^y("), £;e(x„), |a„)) = 1] - Pr[i?„(e®P°^y("), £;e(a'), K)) = 1] > ^ 



G G p(n) 

This implies that (G, M, i?, Z?) does not have the indistinguishability. 

Now, we have the equivalence of the indistinguishability and the semantic q-security. The 
notion of the semantic c-security is an intermediate notion between the indistinguishability and the 
semantic q-security. Actually, the proof of the equivalence between the indistinguishability and the 
semantic q-security essentially includes a proof of the equivalence between the indistinguishability 
and the semantic c-security. □ 

Remark. If we take polynomial-size quantum circuit family (without quantum advice) as a com- 
putational model of the adversary, we do not know whether the above equivalences still hold. This 
is because we essentially use the power of quantum advice in our proof. 
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Definition 3.6 A quantum public-key cryptosystem (G, M, E, D) is said to be non-malleable if 
there exists a (probabilistic) polynomial-time computable uniform quantum transformation T such 
that for every family {Cn, |a„)}„>i of polynomial-size quantum circuits with quantum advice, 
every distribution family {Xn}n>i each on Mn, every polynomially bounded quantum function 
h : {0, 1}* — > H*, every polynomial-size quantum circuit (with quantum advice) computable relation 
R, the following quantity is negligible: 



Pr 



C7„(e®P°iy("),^e(a),/i(a),|an)) = ^e(a') A (a, a') eR\ie,d) ^G{r),a^ X„ 



Pr 

T,G,X„ 



C7;(e®P°iy("),/i(a),K)) = Ee(a') A(a,a') G i? | (e, d) ^ G(l"), a ^ X„ 
where (C^, \a'J) = T(Cn, \an)). 



Theorem 3.2 Against the chosen ciphertext attack, the indistinguishability and the non-malleability 
for quantum public-key cryptosystems are equivalent. 

Proof. (Sketch) The proof is almost similar to the proof of Theorem 3.1. 

The proof that the non-malleability implies the indistinguishability corresponds to the first half 
of the proof of Theorem 3.1. In this part, we do not essentially use the power of the decryption 
oracle. We have only to rephrase f{x) = and f{x) = 1 with E(,{x) and E(.{x) respectively and to 
let R be the identical relation. 

The proof that the indistinguishability implies non-malleability corresponds to the second half 
of the proof of Theorem 3.1. We can obtain, from the adversary, a ciphertext that violates the 
non- malleability and invoke the decryption oracle to recover the corresponding plaintext. Since the 
R can be efficiently computable, then we can construct a distinguisher that checks whether the 
relation holds or not. □ 



4 Application 

A quantum public-key cryptosystem is proposed in [13] and shown to have the indistinguishability 
under the assumption that the graph automorphism (GA) problem is computationally hard in the 
worst case. As a corollary, we have the following. 

Corollary 4.1 The quantum public-key cryptosystem in J13^ is semantically q-secure (against cho- 
sen plaintext attack) under the assumption that GA is a. e. -hard to compute by every family of 
polynomial- size quantum circuits with quantum advice. 
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